CloudWiki

NIST 800-53 is a list of controls that support the development of secure and resilient federal information systems, that is part of the Special Publication 800-series published by the National Institute of Standards and Technology (NIST). It is continuously updated to define standards, controls, and assessments flexibly based on risk, cost-effectiveness, and capabilities. Publication 4 provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).

Compliance checks for Amazon Web Services

Critical
IAM Role inline policy has over permissive RDS access
Critical
IAM Role inline policy has over permissive KMS access
Critical
IAM Role inline policy has over permissive Kafka access
Critical
IAM Role inline policy has over permissive OpenSearch access
Critical
IAM Role inline policy has over permissive ElastiCache access
Critical
IAM Role inline policy is over permissive
Warning
Ensure Kinesis Data Stream encryption is enabled
Critical
IAM Role with Admin access (*:*)
Critical
IAM Role inline policy has over permissive DynamoDB access
Critical
IAM Role inline policy has over permissive S3 access
Warning
Ensure IAM policies that allow over privileges access to data are not created
Info
EC2 large instance create alarm
Info
Internet Gateway (IGW) changes alarm
Info
Ensure API Gateway has Content Encoding feature enabled
Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Critical
Ensure there is no unrestricted inbound access to TCP port 23 (Telnet)
Critical
Ensure default security groups are not in use by VPC Endpoints
Critical
Ensure default security groups are not in use by Lambda
Critical
Ensure default security groups are not in use by ElastiCache
Critical
Ensure default security groups are not in use by OpenSearch
Critical
Ensure default security groups are not in use by ECS
Critical
Ensure default security groups are not in use by ELB
Critical
Ensure default security groups are not in use by RDS
Critical
Ensure default security groups are not in use by ALB
Critical
Ensure default security groups are not in use by MSK
Critical
Ensure there is no unrestricted inbound access to TCP port 22 (SSH)
Critical
Ensure there is no unrestricted inbound access to TCP port 3389 (RDP)
Critical
Ensure there is no unrestricted inbound access to TCP port 80 (HTTP)
Critical
Ensure there is no unrestricted inbound access to UDP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 27017 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27018 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 27019 (MongoDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 135 (RPC)
Critical
Ensure there is no unrestricted inbound access to TCP port 8080 (HTTP proxy)
Critical
Ensure there is no unrestricted inbound access to TCP port 8000 (HTTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 5432 (PostgreSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 137 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 139 (NetBios)
Critical
Ensure there is no unrestricted inbound access to TCP port 1433 (MSSQL)
Critical
Ensure there is no unrestricted inbound access to TCP port 53 (DNS)
Critical
Ensure there is no unrestricted inbound access to TCP port 20 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 21 (FTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 9200 (ElasticSearch)
Critical
Ensure there is no unrestricted inbound access to TCP port 1521 (OracleDB)
Critical
Ensure there is no unrestricted inbound access to TCP port 3020 (SMB / CIFS)
Critical
Ensure there is no unrestricted inbound access to TCP port 25 (SMTP)
Critical
Ensure there is no unrestricted inbound access to TCP port 3306 (MySQL)
Info
Route Table changes alarm
Info
IAM Policy changes alarm
Info
S3 Bucket changes alarm
Info
Security Group (SG) changes alarm
Critical
Ensure SageMaker Notebook Data is Encrypted
Info
VPC Peering changes alarm
Info
Transit Gateway (TGW) changes alarm
Info
NAT Gateway changes alarm
Info
VPC changes alarm
Warning
Ensure SageMaker Notebook Direct Internet Access is disabled
Warning
IAM user inline policy is over permissive
Warning
IAM Role inline policy is over permissive
Critical
Ensure EBS snapshots are not publicly accessible
Critical
Ensure EC2 AMIs are not publicly accessible
Warning
Ensure EBS snapshots are encrypted
Warning
Ensure EMR clusters are encrypted in-transit and at-rest
Info
Ensure EMR cluster archive log files to S3
Info
Ensure DynamoDB Tables are encrypted with customer managed key
Critical
Ensure IAM password policy expires passwords within 90 days or less
Warning
Ensure IAM password policy require at least one symbol
Warning
Ensure IAM password policy requires at least one uppercase letter
Warning
Ensure IAM password policy require at least one number
Warning
Ensure IAM password policy require at least one lowercase letter
Critical
IAM Role with Admin access (*:*)
Warning
IAM Role with high privileged policies
Warning
Ensure IAM Role has no inline policy
Critical
Ensure IAM policies that allow full "*:*" administrative privileges are not created
Info
Ensure RDS is not using the default port 1433
Warning
Ensure security groups do not have ingress open to any (0.0.0.0/0)
Warning
Ensure EC2 instance uses an IAM profile
Info
Ensure that S3 buckets have Object Lock feature enabled
Warning
EBS volume not in use
Warning
Ensure S3 object versioning is enabled
Warning
Ensure VPC flow logging is enabled in all VPCs
Warning
Ensure IAM Group has no inline policy
Warning
Ensure default security groups do not allow unrestricted traffic
Warning
Ensure CloudFront distribution enforce HTTPS protocol for data in-transit
Warning
Ensure communication between CloudFront distributions and their origins is encrypted using HTTPS
Critical
Ensure ElastiCache Redis clusters are encrypted in-transit
Critical
Ensure ElastiCache Redis clusters are encrypted at-rest
Warning
Ensure that Cloudfront distribution is not using insecure SSL protocols
Warning
VPC endpoint is publicly accessible
Warning
Ensure IAM User has no inline policy
Warning
Ensure Zone Awareness is enabled for OpenSearch clusters
Warning
Ensure EBS volumes are encrypted
Critical
Ensure the S3 bucket for CloudTrail logs is not publicly accessible
Warning
Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket
Warning
Ensure both VPN tunnels are up
Warning
Ensure SQS encryption is enabled
Warning
Ensure SNS encryption is enabled
Warning
Ensure CloudFront web distributions are configured to compress objects (files) automatically